vault-init

The vault-init service automates the process of initializing and unsealing HashiCorp Vault instances running on Google Cloud Platform.

After vault-init initializes a Vault server it stores master keys and root tokens, encrypted using Google Cloud KMS, to a user defined Google Cloud Storage bucket.

Usage

The vault-init service is designed to be run alongside a Vault server and communicate over local host.

Kubernetes

Run vault-init in the same Pod as the Vault container. See the vault statefulset for a complete example.

Configuration

The vault-init service supports the following environment variables for configuration:

• CHECK_INTERVAL - The time in seconds between Vault health checks. (300)
• GCS_BUCKET_NAME - The Google Cloud Storage Bucket where the vault master key and root token is stored.
• KMS_KEY_ID - The Google Cloud KMS key ID used to encrypt and decrypt the vault master key and root token.

Example Values

CHECK_INTERVAL="300"
GCS_BUCKET_NAME="vault-storage"
KMS_KEY_ID="projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/key"

IAM & Permissions

The vault-init service uses the official Google Cloud Golang SDK. This means it supports the common ways of providing credentials to GCP.

To use this service, the service account must have the following minimum scope(s):

https://www.googleapis.com/auth/cloudkms
https://www.googleapis.com/auth/devstorage.read_write

Additionally, the service account must have the following minimum role(s):

roles/cloudkms.cryptoKeyEncrypterDecrypter
roles/storage.objectAdmin OR roles/storage.legacyBucketWriter

For more information on service accounts, please see the Google Cloud Service Accounts documentation.